Cyber Resilience

CVE-2015-2425

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 July 2015

Published
14 July 2015
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3483 97.1th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-2425 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Internet Explorer 11 contains a memory corruption vulnerability tracked as CVE-2015-2425 and assigned CWE-787. The flaw permits out-of-bounds writes when the browser processes specially crafted web content, leading to arbitrary code execution or denial of service. It is distinct from the related issues CVE-2015-2383 and CVE-2015-2384 and carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the issue by convincing a user to visit a malicious website under the attacker's control. Successful exploitation grants the ability to execute arbitrary code in the context of the current user or to crash the browser process.

Microsoft addressed the vulnerability in security bulletin MS15-065, which supplies patches for affected builds of Internet Explorer 11. The bulletin and corresponding SecurityTracker entries recommend applying the updates as the primary mitigation; no additional configuration changes are specified in the references.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-2383 and CVE-2015-2384.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches such as MS15-065 to eliminate the out-of-bounds write flaw in IE 11.

prevent

Mandates memory-protection mechanisms that block the out-of-bounds writes (CWE-787) exploited by CVE-2015-2425.

SC-18 Mobile Code partial match
prevent

Restricts execution of untrusted mobile code delivered via web pages, limiting the attack vector used to trigger the IE memory corruption.

References